Out-Law News 4 min. read
19 Nov 2024, 5:23 pm
Major technology providers could face broad new disclosure duties, including obligations to notify regulators of planned technology change projects, resourcing challenges, and of evolving cyber incidents or outages in their infancy, under new rules being introduced in UK financial services.
The Bank of England, Prudential Regulation Authority (PRA), and Financial Conduct Authority (FCA) confirmed last week that their new ‘critical third parties’ (CTPs) regime will begin to apply from 1 January 2025.
The regime consists of a suite of regulatory requirements pertaining to operational resilience and will apply to ‘critical’ third party service providers. The UK Treasury will designate the CTPs to be subject to the new regime and its designation orders will further specify when the new regime will take effect for those specific providers. Transitional arrangements have been put in place to give providers time to comply with the new requirements.
The introduction of the CTP regime, which follows a consultation exercise held by the regulators, is designed to “address the potential risks to the stability of, or confidence in, the UK financial system”, the regulators said.
“Firms and [financial market infrastructures] are increasingly reliant on technology and other services provided by third parties,” they said. “These services can bring benefits to firms and FMIs, such as improving efficiencies and embracing innovation. However, this increasing reliance brings risks. If many firms rely on the same third party to provide essential services to the UK economy, the failure or disruption of this ‘critical’ third party could threaten the stability of, or confidence in, the UK financial system. It could also impact market integrity and consumer protection.”
Yvonne Dunn of Pinsent Masons, a specialist in technology contracts in financial services, said: “These new rules reflect regulatory focus on suppliers that are key to the ability of financial institutions to deliver products and services to customers. They also align with developments in Europe pursuant to the Digital Operational Resilience Act (DORA). Suppliers that are likely to be CTPs need to mobilise to meet these requirements, some of which need to be operationalised in a relatively short period following designation as a CTP.”
“As well as the impact on the CTPs themselves, it will also be interesting to see how suppliers that are CTPs choose to address some of these requirements in their contracts with customers,” she added.
Under the new regime, providers designated will be subject to six fundamental rules, much like the high-level principles that UK-regulated firms must adhere to in, for example, the FCA Handbook.
Those rules require providers to: conduct their business with integrity; and with due skill, care and diligence; act in a prudent manner; have effective risk strategies and risk management systems; organise and control their affairs responsibly and effectively; and deal with each regulator in an open and cooperative way, and disclose to each regulator appropriately anything relating to the CTP of which it would reasonably expect notice.
The scope of the fundamental rules is limited to services deemed ‘systemic third party services’ that providers provide to firms. However, the exception to this is the sixth rule covering regulatory cooperation and disclosures – it is wider in scope and applies to all the services providers offer.
In their supervisory statement, the regulators set out examples of the matters they would “reasonably expect” providers to disclose. Changes in senior management, planned major change management programmes affecting the ‘systemic’ services, and changes to the resources essential to the delivery of those services, are among the examples cited. Providers would also be expected to provide regulators with “advance warning of incidents” that “are highly likely” to be reportable, under other rules arising under the CTP regime, “imminently or in the short-term”.
The separate obligations to report certain incidents to the regulators form part of a wider set of requirements that CTPs will fall subject to under the new regime. They will, for example, face a series of operational risk and resilience requirements, including around managing supply chain risk and dependencies, as well as specific requirements around technology and cyber risk management. They will also be expected to map the resources they use to deliver its systemic third party services, determine their maximum tolerance for disruption for those services, have documented plans and procedures for responding to and recovering from operational incidents, and have further plans in place to support firms in terminating and exiting from service contracts in an “effective, orderly and timely” way – and help firms recover data and other assets of theirs in the process.
The regulators also have wide-ranging information gathering powers under the new CTP regime. They said they could potentially use those powers to “request information from a CTP about a service it provides to firms that is not considered a systemic third-party service at the time of the information request, but could become so in the future due to rapid adoption among firms”.
Finalisation of the rules for the new CTP regime come after the FCA recently outlined lessons financial services firms can learn on operational resilience from the CrowdStrike outage, a major cyber incident that grounded flights and impacted other important services – including NHS services in the UK – globally, in July.
In that statement, the FCA highlighted the forthcoming March 2025 deadline for UK-regulated financial services firms to be fully compliant with operational resilience requirements that were set by regulators in 2021.
The UK’s CTP regime has also been finalised at a time when ‘critical ICT third-party service providers’ involved in facilitating financial services in the EU face direct regulation under the EU’s Digital Operational Resilience Act (DORA). Like with the UK regime, those providers will identified and brought within scope of DORA through designation. EU regulators have set national authorities a deadline of 30 April 2025 (8-page / 242KB PDF) for sharing information to inform such designations.